Printer Friendly

Covering your assets.

THE CONCEPTS OF SECURITY AND safety traditionally have been at odds with corporate goals and priorities. Many companies view security as a necessary evil, an overhead expense whose function, by definition, is not revenue producing. If a word association game was played in most boardrooms today, security probably would be followed by the word guard, safety would be equated with poster, and fire protection would likely be followed by fire extinguisher or sprinkler.

We in the security industry must bear some responsibility for these stereotypes. Security managers, many of whom came from the ranks of retired law enforcement officers, seemed ill at ease in understanding business concepts, such as profit enhancement, return on investment, and maximizing resources. The security perspective was to Protect a company from burglary or dishonest employees and was usually limited to physical asset protection.

The security manager was the one who wore the black hat, focusing on preventing crime, substance abuse, and fraud. But since most corporate executives perceived these evils as the competition's problems, efforts to address these risks were never totally embraced by senior management.

To understand proactive risk management, one must first understand how risks traditionally have been addressed. Traditional risk management has the following six primary characteristics:

It is reactive.

It is usually limited to physical asset protection.

It fails to demonstrate return on investment.

It does not harmonize with the corporate mission statement.

It is often diffused in terms of functions.

It displays a Titanic view of risks and their consequences. Let's briefly talk about each characteristic,

Reactive. Security, safety, and insurance issues in the United States traditionally have been reactive. The following philosophies are often heard: "Why make waves when we don't have problems? ", "I know a problem exists but it can't be quantified. So why deal with it? No one will understand anyway." "If we address a problem, won't it be assumed that we admit to having a problem? ", and "We haven't had a problem yet. Why deal with it?

The reactive thinker is much like the apartment dweller in midtown New York who keeps the lights on all night and claims he or she has no cockroach problem. The problem is there; it just isn't overt.

Limited to physical asset protection. Security is viewed only as building security. The primary objective of the security department is to keep intruders from entering a facility. Alarms, guards, and access control are acceptable functions. Trying to address internal issues, such as employee dishonesty, fraud, computer crime, and substance abuse is unacceptable. The security director in this mode is nothing more than a guard supervisor.

No return on investment (ROI). The security department is viewed as an overhead expense having limited profit enhancement benefits (usually only justified because the insurance company requests it). ROI is a foreign concept to many security directors and companies (as it is related to managing risks).

Not in sync with company goals. The security department seems to operate separately from the company as a whole. No attempt is made to fully integrate security goals with corporate goals. In many cases, security department employees don't feel part of the company and are even ostracized. This isolation breeds resentment and a cycle of further organizational disparity.

Decentralized function. Risk management functions are handled by multiple departments. Worker's compensation issues, for example, may be handled by the personnel, department. Insurance may be handled by accounting. Security may fall under building maintenance. Fire protection might be the responsibility of facility engineering or, in a leased facility, the landlord. Safety could be an operations department concern and, in many cases, limited to posters or brochures displayed in public locations (to give the impression that a security program exists).

A Titanic view. Traditional risk management displays a Titanic philosophy toward issues that face all businesses. Corporate executives who express such a view may claim, "We have no theft, no drug abuse, no fraud I know my employees. Proposing programs to address these issues assumes that a problem exists and, quite frankly, is alarmist thinking."

Unfortunately, some businesses wait until they approach the iceberg before the decide to make a course change.

RISK MANAGEMENT TODAY IS MUCH different. It takes a proactive approach. Let's discuss some of the characteristics.

Physical security. Physical assets must be protected but with a user friendly alarm system. If you can protect your facility and still get the support of your organization's most diehard security adversary, then you have made the first significant contribution to developing a proactive risk management program.

Intellectual asset protection. A company's intellectual assets are the lifeblood of the organization. Companies go out of business every year because someone leaked proprietary information that destabilized the company's competitive edge.

Unfortunately, businesses in the United States rate low in protecting sensitive information. Just walk around in your own building after hours. You'll find file cabinets open, confidential information left out on desks and at copy machines, and meeting notes and flip charts left in conference rooms.

Many organizations have no corporate policy governing sensitive information. Most do not have a formal education program for employees or a means of identifying, protecting, or disposing of proprietary information. These are the same organizations that will be shocked when an information leak occurs.

Stress management. Employee stress costs American businesses between $50 billion and $70 billion a year. Stress directly affects medical insurance, safety, morale, productivity, and quality assurance. Many executives state that stress is a necessary by-product of any fast-paced organization, and if employees can't handle stress, they should resign.

This hard-line approach may sound bullish, but, in reality, it is naive. While stress is part of business, how employees handle it is critical to profit enhancement.

Today's risk manager must implement stress management programs to reduce negative stress and revitalize the mental and emotional energies of stressed employees. Not only will this approach enhance the outlook of the employee but also the business as a whole will be a lot healthier and more ready to tackle issues.

Substance abuse. Most companies do not like to discuss this issue openly. If you listen to the Drug Enforcement Administration, one in four employees uses drugs on the job. It's a problem that affects security, safety, productivity, and errors and omissions (for example, the software engineer who has a cocaine problem develops a flawed product and creates long-term liability implications for the company).

The objective of a substance abuse program should not be to identify drug abusers and fire them. The objective should be to help turn around the life of the abusing employee and make that individual a productive and fully functional contributor to the company once again. This approach not only saves the company the expense of recruiting and training a replacement, but, more importantly, it improves the organizational climate and saves the most important resource a company has-its employees.

Disaster recovery. Word association would probably find disaster recovery synonymous with fire. Consequently, most companies that have sprinklers may say that a disaster recovery plan is not necessary.

No one likes to think about disasters, but contingency planning is essential in today's business world. A company's viability, market share, customer confidence level, and competitive edge are on the line after a disaster occurs.

The liability facing a company if a plan has not been developed can be staggering. Planning must not center on data processing only but be expanded to address all business functions. Manufacturing, engineering, customer support, sales, purchasing and accounting must all have individualized contingency plans aimed at function restoration. The business that scoffs at contingency planning is gambling with its future.

Safety. The cost of worker injuries to American businesses approaches $35 billion annually. Thus, safety will continue to be the core of a solid risk management program.

Safety programming must involve the entire organization. Every material-handling job should be analyzed to identify job hazards.

Establishing a safety policy, an employee safety committee, and an incentive award program are essential elements of a proactive safety program. Solicit your worker's compensation insurance carrier for technical assistance. The carrier can usually provide training materials and expert engineering support to help you identify areas of exposure and redesign work processes to make them safer and more efficient. It can also help you understand and adhere to federal safety standards set by the National Fire Protection Association (NFPA) and the Occupational Safety and Health Administration (OSHA).

The safety program should not be limited to on-the-job safety. Emphasis on home and family safety helps legitimize and enhance a company's safety efforts. A safety poster on a wall is simply not enough. A positive and aggressive safety program will keep people at work, reduce worker's compensation premiums, and actually enhance productivity and company profits.

Loss prevention. Employee theft costs American businesses $40 billion to $50 billion each year. A proactive loss prevention program must build in the necessary safeguards to remove the opportunities dishonest employees use to steal. Surveilling exits, limited access to the building after hours, a formalized property removal system, periodic use of undercover operatives, good employee screening and reference checks, and routine audits of key business support functions (such as credit and collections, purchasing, and security) are all essential components of a sound loss prevention program.

These elements-coupled with good building security-and a statement by management that theft and its associated profit shrinkage have no place in the organization, go a long way in deterring dishonesty.

Return on investment. Proposing $20,000 in improvements to your building's fire protection system may not win executive approval. But attach a sheet from your insurance company that shows that through this expenditure you can save $30,000 a year in premiums, and suddenly you have a signed purchase requisition in hand. (This actually happened at my company.)

ROI gives legitimacy to the security, safety, and insurance functions. It shows that you are cognizant of the bottom line and not just a self-serving expense.

If a security system upgrade can save money through reducing the staff hours needed to protect the building, that's ROI. If a safety incentive award program costs the company $7,000 but saves the company $50,000 in worker's compensation and insurance premiums, that's ROI. If an employee assistance program can turn around the lives of troubled employees, eliminate the manifestations of stress and substance abuse, and save the company the cost of hiring and training replacements, that's ROI.

ROI helps the security director keep priorities in perspective. Always make decisions based on what's best for the company, not what's best for your department.

Building success. There are 10 components to building a successful risk management program.

* Centralize the function. To be successful, centralize your program's administration, policy formulation, evaluation, review, and supervision. If possible, security, safety, and insurance coordination should be the responsibility of one department.

In this arrangement, assignments are approached from one perspective and resources and energies are not duplicated. You also will have more clout and be able to get activities approved more easily. The department's activity must closely shadow the corporate macro view (also known as the big picture) of where the company is going and how it's going to get there.

* Interact with your insurance company. A critical triangular relationship must be established between your company, your insurance broker, and your property and worker's compensation insurance carrier. Insurance companies have been given a bad rap in recent years, stereotyped as greedy.

The fact is, the insurance industry has the same risk management goals as you do - to lower your company's risk. They don't want to pay out $200 million for a facility that bums to the ground or a $100,000 worker's compensation claim. It's to your advantage to work with them in solving problems, not to hide or ignore them.

Establish quarterly round-tables to identify and resolve issues, critique services, and review recent claims. Use their resources. Most carriers employ experts in NFPA and OSHA regulations, hazardous chemicals and waste disposal, and loss prevention programming. Use these experts. You're paying for them.

Create a return on your insurance premium. Work with the carrier in negotiating premium dividends or rebates for good loss histories. Strive to get your property rated a "highly protected risk. " My company has been able to save over $300,000 in four years from doing just that (at a cost of $ 1 00,000) and that's just the direct cost savings ! n Ask for help. The risk manager, security director, or safety manager doesn't have all the answers. The most valuable and overlooked resource a risk management program has is its own employees. Involve major department managers in charting the course of your program.

Get employees involved through a safety committee, a job safety analysis, a suggestion program, or regular group meetings. Employees are the best experts at what they do. Use them and you'll get the best results while enhancing the credibility and legitimacy of the security department.

In all major policy formulations at my company, I sought the input and support of the employees and managers. Through this process, our safety program and security alarm system became their program, their system. At no time did we have the anticipated negative reaction to controls or procedures.

Presell an idea, attach a business necessity to it, document return if you can, and get input from those affected by it. You will be surprised at the results you'll achieve through such a process.

Use outside resources, too. Consultants, auditors, issue-specific companies, and others can help implement programs that you or your company simply can't implement due to limited time, resources, or expertise. Tying the expense of these consultants to profit enhancement (lowered risk, lowered insurance premiums, etc.) will also help sell using outside help. Ask these consultants how they can save you money.

* Do your homework. Research what you want to do and why you want to do it. Explain how the program will help the bottom line, not how it's going to help only you or your function.

Be sure to meld risk management goals with corporate goals. Identify why and how you're going to approach a problem, and outline the savings and the risks if the problem isn't addressed. Back up this outline with statistics (talk with your insurance company).

Homework also involves contriving scenarios to show how a loss could actually occur. Several years ago, I continually voiced concern over poor access control and freight procedures on our shipping dock. Dissatisfied with promises to control security better, I hired an undercover operative to see just how far a thief could go before being detected.

I had only been at my company for six months and didn't tell anyone in the organization - including my boss - what I was planning. Not only did the operative get on the dock without being challenged, but he stole $25,000 of finished product by loading it on his pickup truck. An employee debriefing later revealed that dock employees assumed the operative was an independent contract carrier.

The purpose of the exercise was not to embarrass anyone but to point out that this event could have actually occurred. My efforts to install an outside camera and initiate stringent procedures to process outbound shipments were approved that afternoon.

* Be a marketer. To be successful in this business, you must sell risk management to the organization. Don't assume a company is going to be impressed with your safety and security ideas.

* Be holistic and proactive. Deal with total issues. If you are trying to tackle the substance abuse issue, don't just think "drug testing." Address pre-employment screening, employee assistance, investigations, stress management, a positive policy, training, and exit interviews to determine employee perception of the problem.

Translate issues of concern in a manner in which the CEO, vice presidents, and directors can appreciate their impact on the company. Stay on top of issues. Don't wait for problems to come up before you address them.

n Audit. To ensure your programs work, continually assess their real and perceived level of effectiveness. This may mean something as simple as checking on your guards several times a month or activating a smoke detector to find out if the alarm works and the alarm company receives the alarm properly. Don't assume a well-designed program or system is going to work flawlessly forever. It is important to constantly strive to put quality back into security. Auditing helps you become a truly viable competitor.

9 Approach issues from a business perspective. Don't view issues from your perspective only. To guarantee success you must take a more macro view.

Last year, I was told to reduce my budget considerably, including cutting my second shift guard coverage from two officers to one. My initial reaction was to protest severely since what the company proposed was going to affect facility security significantly. What I did instead was to brainstorm with my security coordinator and come up with a solution.

We reconfigured our alarm procedures so that alarms would annunciate via beeper and exiting employees would be monitored by video cameras tied to a VCR. In doing so, we freed up an access control officer to provide a roving patrol without compromising security. Cost-$8,000; savings per $20,000 year.

* Flag your successes and failures. Send monthly reports to management identifying savings. If a problem comes up, deal with it. Then let management know that the recent problem was an example of what you had been talking about.

Some of the most effective means to get risk management programs approved have occurred through an incident. We've had information leaks, thefts, substance abuse, and fraud in an organization that four years ago said, "No way, we don't have these problems here." Sometimes you can talk about preventing losses until you're blue in the face. Until something actually happens, senior management can be politely apathetic. Just don't rub their noses in it when it happens and wag your finger at them, boasting "I told you so.

* Don't be defensive. Don't take a no," or a "you can't do it," or a you'll have to cut back" personally. Look at issues from the company's perspective. Then either do what they say, reapproach the issue later, or come up with an innovative way to deal with a company's mandate or requirement.

Hopefully, if you use some of these steps, your life will be a little bit easier and your company's risk will be more successfully managed.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:proactive risk management
Author:Garrigan, John M.
Publication:Security Management
Date:Apr 1, 1990
Previous Article:The pitch for security.
Next Article:The competitive environment.

Related Articles
Monitoring commercial portfolios: keeping a finger on the pulse of complex loans structures is a function of proactive asset management.
Volunteers or employees: which are they?
JetForm to Take $8m Restructuring Charge in Q4.
From the Editor. (Up Front).
McDATA improves security for data storage with addition of SANtegrity Security assessment.
Canadian Treasury Management, 3d ed.
Performance assessment of urban infrastructure services.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters